Replies: 3 comments 1 reply
-
@mposolda could you take a look at this one? |
Beta Was this translation helpful? Give feedback.
-
When an Authenticator is set to "Alternative" the code at DefaultAuthenticationFlow.java#L425 doesn't call |
Beta Was this translation helpful? Give feedback.
-
I'd love to see how to do this, as well. Our users hope to log in with either OTP or WebAuthn, with recovery codes as a fallback. When I logged into github just now to post this comment, my much-abused USB security key didn't work, and conveniently, github had a set of links ready for me to choose SMS or OTP as alternative second factors. I'd like to do something like that, and don't see how. |
Beta Was this translation helpful? Give feedback.
-
We want to have step-up two-factor authentication, so that
The following authentication flow works fine, as long as the user has pre-setup the factors via Account UI.
With this flow and URL param acr_values=2 the following happens, depending on already existing configuration of TOTP and Recovery Codes at the user:
What is needed: Setup of TOTP and Recovery codes should be completed in any case.
Is there some other flow setup which enforces initial configuration of both factors on first use AND allows the user to select the factor on login?
If not, would it be an option to make the "OTP Form" executor and "Recovery Authentication Form" executor configurable? (So that configuration can be set to "required" / "not required" and isn't purely depending on Alternative/Required setting at authentication time?)
Related question:
Beta Was this translation helpful? Give feedback.
All reactions